Closed noloader closed 2 years ago
Taking these in order:
TLDR: Run the following when godojo is done installing:
rm -rf /opt/dojo/django-DefectDojo/tests
rm -rf /opt/dojo/django-DefectDojo/unittests
Assuming you didn't change the install root
More details:
(1) "It looks like there's about 2500 questionable files:"
One of the core data models of DefectDojo is 'test' so find/grep'ing for test won't give anything like accurate results. See the data model documentation for more details.
The application tests (unit/integration) are under tests and unittests directories in the root of the source which is /opt/dojo/django-DefectDojo/ for godojo installs with the default install location.
If you really don't want those files as part of your final install, a quick two rm -rf
commands will clear those out once godojo has completed the install.
(2) " I don't recall seeing one for the installation type"
The purpose of the dev install is to quickly setup a DefectDojo installation where all the configs are known and use pre-defined values. This lets you make one config change to set type to 'dev' and have a consistent install configuration when you choose that option. Basically, it should only be used if you're QA testing or dev'ing on DefectDojo.
godojo uses the release tarball for getting the source code for DefectDojo - assuming you don't install at a specific commit or head of a branch. In those cased (branch/commit) you'll get the equivalent of a git clone from the repo and have all the source.
(3) I also see what may be test gear in the database
See the link above to the data models for DefectDojo - the tables you mention are valid tables. For example:
dojo_test_files - holds files uploaded/associated with a specific test in DefectDojo dojo_test_notes - holds note(s) added to a test in DefectDojo.
HTH
I've got DefectDojo from the tip of Master running on Fedora 35 with Postgres. When I look at the installed warez I see a lot of debug and test gear. I don't think the debug and testing gear should be present after an install since it increases attack surface. It also takes time when trying to audit an installation. Finally, it adds to the backup and restore times.
And to be clear... prior to installation, you should run the tests. Once tested, you install the production stuff only (or delete the test gear).
It looks like there's about 2500 questionable files:
And:
And my apologies if I missed a setting in
dojoConfig.yml
. I don't recall seeing one for the installation type (debug vs release or production).godojo -help
does say the following, but I did not use the-dev
option:I also see what may be test gear in the database. I am not sure if these are false positives. Given that there are tables like
dojo_engagement_files
anddojo_engagement_notes
, it looks like the other ones could likedojo_test_files
anddojo_test_notes
are superfluous.